OpenLDAP as proxy to AD: Difference between revisions
Mmuehlfeld (talk | contribs) (Moved this content from a larger page to a new one. Plus some minor cleanups) |
(No difference)
|
Revision as of 18:06, 27 August 2015
openLDAP as proxy to Active Directory
Example of where you might need this: If you don't want to have a DC with all its services and open ports in your DMZ, you can setup a back-ldap proxy with openLDAP. You can then limit access to your DC to just this one host and the LDAP port 389, all services on other hosts in your DMZ will access the AD using the proxy.
- Use the following slapd.conf example:
### Schema includes ########################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/misc.schema include /etc/openldap/schema/nis.schema ## Module paths ############################################################## modulepath /usr/lib64/openldap/ moduleload back_ldap moduleload rwm # Main settings ############################################################### pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args ### Database definition (Proxy to AD) ######################################### database ldap readonly yes protocol-version 3 rebind-as-user uri "ldap://{AD-Hostname/IP}:389" suffix "{your Domain DN}" overlay rwm rwm-map attribute uid sAMAccountName rwm-map attribute mail proxyAddresses ### Logging ################################################################### loglevel 0
If you already have an openLDAP server with a local database running, you can just add the proxy part, as long as your AD resides in a different branch.
- If you don't need to remap attributes (e.g. mapping "sAMAccountName" to "uid" and "proxyAddresses" to "mail" in the example above), you can skip these parameters.
- If you do remap attributes, then, when using ldap/slap commands, you may get errors similar to (for the above two remappings):
/etc/openldap/slapd.conf: line 28: warning, destination attributeType 'sAMAccountName' is not defined in schema PROXIED attributeDescription "SAMACCOUNTNAME" inserted. /etc/openldap/slapd.conf: line 29: warning, destination attributeType 'proxyAddresses' is not defined in schema PROXIED attributeDescription "PROXYADDRESSES" inserted.
This happens if you remap attributes that are not defined in your included schemas. Search the web to get the valid schema entries, add them to a file and include it in slapd.conf. For the above two mappings, the following should be in the schema file to stop the two errors occurring:
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' SINGLE-VALUE ) attributetype ( 1.2.840.113556.1.2.210 NAME 'proxyAddresses' SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
- Restart the openLDAP service.
Nslcd: Retrieve user/groups from AD through openLDAP proxy
Example of where you need this: You need to resolve user/groups from AD through an openLDAP proxy, because you want to see the usernames/groups instead of UIDs/GIDs. Or you need to provide authentication to AD through the openLDAP proxy.
- This requires that you have successfully configured an openLDAP proxy to AD.
- Create a new user in ADUC or with samba-tool, that nslcd will use for connecting to the AD (I'd used "nslcd-connect" in the example below).
- Adapt the following "/etc/nlscd.conf" example to your environment:
# Mappings for Active Directory pagesize 1000 referrals off # Passwd filter passwd (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*)) map passwd homeDirectory UnixHomeDirectory map passwd gecos displayName map passwd gidNumber primaryGroupID # Shadow filter shadow (&(objectClass=posixAccount)(!(objectClass=computer))(uidNumber=*)) map shadow shadowLastChange pwdLastSet # Groups filter group (&(objectClass=posixGroup)(gidNumber=*)) map group uniqueMember member # Local account for nsclcd uid nslcd gid ldap # Where is the LDAP uri ldap://{openLDAP-Proxy-Hostname/IP}:389 base cn=Users,{your Domain DN} # Connect-Account binddn cn=nslcd-connect,cn=Users,{your Domain DN} bindpw {password}
This example assumes, that you've mapped the attribute "sAMAccountName" to "uid", like in the example of openLDAP proxy to AD above. Otherwise you have to map the attribute here. Also it is required, that the user accounts have an uidNumber and the groups a gidNumber attribute.
- Start the nslcd service.